IP Address Inspector

J.Woody commented...

ATTEMPTED SCRIPT ATTACK(Attempt to run exploit script on non existing area)

216.104.15.138 - United States - Trend Micro Incorporated

SMALL SAMPLE:
216.104.15.138 - - [26/Oct/2011:19:21:52 +0100] "GET /js/jquery.cookie-modified.js HTTP/1.0" 404 1225 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
October 26 2011 07:05 PM

WEBSupport commented...

Another Brute Force IP by Trend Micro: 150.70.75.28
September 06 2011 08:03 PM

C.Paws commented...

I've got 150.70.64.198 and 150.70.75.32 hanging out on my site right now.

Thanks for the tip below, I banned 150.70.*
June 14 2011 11:59 AM

WEBSupport commented...

Two more IP's used by Trend Micro Brute Force bots:
150.70.172.109
150.70.97.43
May 25 2011 07:25 AM

WEBSupport commented...

Trend Micro Brute Force Bots - Known IP Addresses listed below (IP's added to-date)

Known rule Breakers with attempts at accessing Admin areas including cPanel
Frequently trigger Brute Force Locks trying to login to site Admin areas
Also known to download payable items and disregarding htaccess
150.70.172.10
150.70.172.102
150.70.172.103
150.70.172.108
150.70.64.194
150.70.64.195
150.70.64.197
150.70.64.198
150.70.64.201
150.70.75.27
150.70.75.30
150.70.75.31
150.70.75.34
150.70.75.36
150.70.97.36
150.70.97.37

Most malicious IP's causing damages to sites, including WordPress
216.104.15.130
216.104.15.134
216.104.15.138
216.104.15.142

Kindly consolidate comments at this IP and Wikipedia
http://en.wikipedia.org/wiki/Trend_Micro

Trend Micro probably crossed the line to Malware
Damages less likely if Trend Micro is uninstalled as it
abuse the website's trust in visitors with Admin privileges.
May 19 2011 07:48 AM

E.Stieringer commented...

An administrative user on a site I developed is using Trend Micro as his virus protection software on his computer.

After logging into the administrative section of the site, there is activity from the following IP addresses:

150.70.64.194
216.104.15.138

Both of these IP addresses come from Trend Micro, the former residing in Japan, and the latter in Cupertino, California.

The activity from these IP addresses seem to mirror the administrator's activity, even logging in with his credentials. There is one exception: When he updates a section of the website, the bot does the same, but enters "0" in all of the fields, ruining the data which drives the site.

.htaccess blocking only affects them sporadically.
April 24 2011 03:19 PM

L.Johnson11 commented...

A repeat case - Trend Micro 'attack bots' seem to be trying to DDOS my sites from a number of different IP's.

216.104.15.130
216.104.15.134
216.104.15.138
216.104.15.142
150.70.0.0 - 150.70.255.255
216.104.0.0 - 216.104.31.255

HTACCESS does not affect the pages they load or the behavior. They also attempted to access administration areas and restricted content, of which provided me with an alert (per attempt). During a single 30-minute period, I received just over 130,000 alerts from pages that were accessed incorrectly or without permissions, and five IP addresses were automatically banned - maybe suing them for non stop abuse will get their attention, if this is a serious issue.

If this is functionality built-into Trend Micro being abused (as it would seem), or it is being used in such a way that it is causing many sites to crash, putting my services out of action and risking security, I will indefinitely consider calling them up about it, or ultimately, legal action.
April 16 2011 06:37 AM

WEBSupport commented...

April 07, 2011 - Tough Questions:
Brute Force tactics by Trend Micro detected from the following IP Ranges again:
150.70.0.0 - 150.70.255.255
216.104.0.0 - 216.104.31.255
This IP and several other IPs allocated to Trend Micro continue to brake the rules, triggering Error403 alarms on servers. Trend is known to employ “ethical crackers”; whatever that is, but where do we draw the line? It is probably good having a bot tagging along on your Internet journey to harass malware and botnet sites if you use Trend Antivirus, but what about your bank? Payable items from secured areas are not left alone either, but Trend will probably call it “ethical theft” to ensure that items on sale are not malware infected. Bottom line – Where to draw the line between Malware and AV, or what is ethical? Trend is fighting fire with fire; perhaps a redirected DDOS will provide Trend with enough answers? Tough Questions for sure.
April 07 2011 09:30 AM

M.Hell2 commented...

These 'Trend Micro' attack bots seem to be trying to DDOS my sites from a number of different IP's.

216.104.15.130
216.104.15.134
216.104.15.138
216.104.15.142

Even though they are blocked in htaccess, that doesn't stop them from constantly requesting pages every second and filling up my logs.

So I'm thinking, since just blocking the Trend Micro attack bots doesn't seem to be enough, maybe suing them for non stop abuse will get their attention.
March 26 2011 11:50 AM

H.User6603 commented...

This is really weird behavior. Six events logged.
First, ip address 220.255.252.144(SG) appeared on site. Looked like a normal person.
Second, ip 150.70.172.104(JP) showed up opening page of my site-index.php. Nothing unusual.
Third, ip address 220.255.252.144(SG) began to place an ad on the site. Created path 'editview-si.php?town=Toa-Payoh&category=anything&label=60054058'. Again looked like a normal person , but then he quit. Oddly, he chose 'outside Singapore as his location.
Fourth, the Japanese ip address 150.70.172.104(JP) moved to another page of my site, Nothing unusual there.
Fifth, a new ip address shows up-216.104.15.138 (US) and tries to acess the path created by the SG ip in Step 3 'editview-si.php?town=Toa-Payoh&category=anything&label=60054058'. This got him blocked/banned from the site, because he tried to acccess the page directly from outside the site.
Sixth, an all new Japanese ip address shows up 150.70.75.34 (JP) and attempts to access the same path 'editview-si.php?town=Toa-Payoh&category=anything&label=60054058'. Again, he is blocked/banned from the site because he also tried to acccess the page directly from outside the site.
End of events....

220.255.252.144(SG)
216.104.15.138(US)
150.70.75.34(JP)
have a common thread - they used the same path . Also, I assumed that 150.70.172.104(JP) was used also by 'whomever'. I have no idea what they were trying to do, but two of the ips broke the 'no direct access' rule of the editview-si.php page. I blocked 220.255.252.144(SG) manually, also.
February 14 2011 06:29 PM

L.Nicolai commented...

Still active.
Tried to write to a non existing guestbook (honeypot).
January 31 2011 03:45 AM

F.Heinzmann commented...

Attempting to look at our photo gallery security log?
216.104.15.138 - - [30/Jan/2011:16:58:06 -0600] "GET /gallery/viewlog.php HTTP/1.0" 200 5796 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
January 30 2011 11:38 PM

C.Willits commented...

Attempted user registration on 1/1/2011.
January 03 2011 01:21 PM

C.Johnson18 commented...

accessing our forums. banned.
August 10 2010 09:43 AM

C.Hill3 commented...

spammer
July 19 2010 10:51 AM

H.Toucano commented...

This is really VERY weird.
Today, I sent a private e-mail to 4 corporate people in the UK and Portugal containing a URL link to a folder/files on my private file server. The folder/files are hidden on my file server and ONLY accessible via a direct URL link to them from me. The folder name is complex to avoid hackers guessing the name.

Within 20 mins of sending the e-mail IP 216.104.15.138 attempted to access those files using the exact same link as I had previously quoted in my e-mail. Can this mean that IP: 216.104.15.138 is intercepting my e-mails? perhaps through my UK ISP?
June 15 2010 09:29 AM

R.Dunkle commented...

Aggressive spider from TrendMicro. It working with 216.104.15.142.
Slurping entire gallery. Blocked.
216.104.0.0/19
May 28 2010 07:59 PM

H.User6343 commented...

2010-04-03 10:57:32 216.104.15.138 5 35 5 This request was blocked
2010-04-03 10:57:33 216.104.15.138 5 35 5 This request was blocked
April 03 2010 07:17 AM

D.Smith21 commented...

They keep coming back:

216.104.15.138

2010-01-26 19:54:05

IP address found on http:BL blacklist

http:BL:
Suspicious
Comment Spammer
Threat level 30
Age 51 days
GET /&type=wordpress2.9.1&wp=abc/&type=wordpress2.9.1&wp=abc HTTP/1.0
Host: www.drumpoint.org
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Accept-Language: en-us
Accept: */*
January 27 2010 11:59 AM

J.Brisebois commented...

They have NO BUSINESS accessing this URL:

The following error was generated on Monday, January 25, 2010 - 07:39:00 PM CST
Error 404 - Page Not Found
Requested URL: http://jummahtube.com/talkback/includes/:
Referring URL: http://jummahtube.com
IP Address: 216.104.15.138
User Agent:[ Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) ]
January 25 2010 08:43 PM

A.E4 commented...

WOW! All I did was install MicroTrend's ** and then I was looking at my forums logs and saw it was accessing everything that I was! This really freaked me out! Then I was looking at the IP's and started looking them up all here. Every single one had something to do with MicroTrends! Needless to say I uninstalled it!

These are all the IP's that visited my forums in the 1/2 hr I had the program running:

216.104.15.130
216.104.15.142
216.104.15.134
216.104.15.138

And even stopforumspam.com has record of 3 of those comment spamming!
January 16 2010 10:02 AM

D.Smith21 commented...

This IP belongs to TrenMicro.com a web security and antivirus software company. How about that.

216.104.15.138

2010-01-04 16:47:50

IP address found on http:BL blacklist

http:BL:
Suspicious
Comment Spammer
Threat level 29
Age 28 days
GET /wp-content/plugins/contact-form-7/contact-form-7.js?ver=2.0.7 HTTP/1.0
Host: www.drumpoint.org
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Accept-Language: en-us
Accept: */*
January 04 2010 12:17 PM

A.Morris3 commented...

Comment Spammer.
Also used: 216.104.15.138
October 24 2009 11:46 AM

W.Ni commented...

Comment spammer.
Also used:
216.104.15.130
216.104.15.142
216.104.15.134
October 09 2009 01:34 AM

A.Bolchis commented...

Comment Spammer
July 26 2009 08:32 PM